Cold storage setup

[papadadfather]

I'm trying to create a cold storage for some BTC. I don't have any prior experiece with Armory.

The guides talk about having a computer that you never connect to the internet, the one you use to create a wallet file.

How about booting to a linux distribution from an USB drive and doing it there? Is there some key layer of security I lose?

What if I literally remove all the prior HDDs on the machine, then boot from the USB? In essence this would be a new computer that hasn't ever been connected to the internet, or what am I missing?

[TierNolan]

How about booting to a linux distribution from an USB drive and doing it there? Is there some key layer of security I lose?

A completely separated computer cannot receive a virus at all. 

The main thing you lose is that a BIOS/firmware based virus could still affect you.

As you realised, there is a risk that your USB based OS will mount your hard drives and execute malware (automatically, or you accidentally trigger it).

I think a CD based OS would be better than USB, since the CD is read-only.

Getting your transactions over to the cold storage is also a risk point.

[papadadfather]

A completely separated computer cannot receive a virus at all. 

How do you know it's been separated  the whole time? Did you build all the components from scratch? You don't know where they've been prior to you getting them. Even if you got everything straight from the factory manufacturer's have been caught hiding backdoors and exploits in their hardware since the 90s at least.

What about the OS you load in it. Did you build and develop it yourself? You know every line of code in it?

[goatpig]

I'm trying to create a cold storage for some BTC. I don't have any prior experiece with Armory.

The guides talk about having a computer that you never connect to the internet, the one you use to create a wallet file.

How about booting to a linux distribution from an USB drive and doing it there? Is there some key layer of security I lose?

What if I literally remove all the prior HDDs on the machine, then boot from the USB? In essence this would be a new computer that hasn't ever been connected to the internet, or what am I missing?

Don't, that's a terrible idea.

[papadadfather]

Don't, that's a terrible idea.

Why?

https://bitcointalk.org/index.php?topic=241730.0

What's wrong with this?

[goatpig]

What's wrong with this?

Don't know, didn't read it. This is stuff from back in 2013 written by a user, not a dev/expert, for newbies.

Why?

Don't have time for a long winded explanation, research that yourself. The security model for offline signing is to use an air gapped signer. Either respect the model or downgrade your security assumption. Caveat emptor.

[TierNolan]

How do you know it's been separated  the whole time? Did you build all the components from scratch? You don't know where they've been prior to you getting them. Even if you got everything straight from the factory manufacturer's have been caught hiding backdoors and exploits in their hardware since the 90s at least.

What about the OS you load in it. Did you build and develop it yourself? You know every line of code in it?

If it's not separated, then it's not separated.

The assumption is that the initial setup of your offline computer is reasonably secure.

Each time it communicates with the outside world there is a risk of something going wrong.

Your offline computer might be virus free, but a vulnerability means that it autoruns USB devices.  If there is a virus on the USB stick that you use to transfer your transactions, then the offline computer could be compromised.

Even if you have a virus, it has to be able to get data to the outside world, or no harm is done.

Offline		Online		Comment		Countermeasure
Clean		Clean		This system is safe		None needed
Clean		Compromised		This allows false transactions to be sent for signing		You must check the transaction's destination and value on the offline computer
Compromised		Clean		This allows false transactions to be sent back from signing		You must check the transaction's destination and value on the online computer
Compromised		Compromised		The offline virus can just send your private keys to the online computer for forwarding to the internet		None

The key point is that as long as you check the transaction on both your offline and online computer, then you are safe as long as at least one of the 2 are clean.  

Even if both are compromised, they have to both be compromised by viruses that cooperate with each other.

One interesting side case is where the offline computer leaks private key data over time.  For example, it tries to sign a few times until it gets certain bits in the signature to match a pattern.

That is useless for generate keys but could be used to leak the master private key and chain-code.